joewiz
commented
3 years ago Now updated with entries for reviewing and merging the crypto lib package, and publishing it to the public-repo.
Closed joewiz closed 3 years ago
joewiz
commented
3 years ago Now updated with entries for reviewing and merging the crypto lib package, and publishing it to the public-repo.
line-o
commented
3 years ago Crypto lib needs to wait for 5.3.0 to be released - so technically we should mention this ticket over in the crypto lib PR and not the other way around. Do you agree @joewiz ?
line-o
commented
3 years ago I think Security - core+Saxon - XXE to RFI in fn:doc etc* is already addressed here
[bugfix] Change XML processing defaults for v6.0.0 by dizzzz · Pull Request #3836 · eXist-db/exist
So the question is wether to accept this for security reasons even if it might affect users of the database.
joewiz
commented
3 years ago @line-o Ah, I didn't realize the crypto lib's new version had to come after the release of eXist 5.3.0. Since the crypto lib's release is an important aspect of the eXist 5.3.0 release, I think it's worth keeping a checkbox here. How about if I move that to-do item to the "Finally" section?
joewiz
commented
3 years ago @line-o Regarding the briefly worded "core+saxon" item, I agree that #3836 addresses the XXE issue, but it doesn't address the RFI issue. That topic came up only in the Community Call on May 10:
Functions that can be used to perform external HTTP requests, e.g.:
doc(). May need to institute a whitelist/blacklist, or disable external HTTP requests by default. Could be a configuration option—off by default in 5.3.0 but on by default in 6.0.0.
doc,doc-available,json-doc,unparsed-text,unparsed-text-lines- EXPath HTTP client
- xinclude
transform:transformAR: Suggests we solve these before the forthcoming release.
This deserves its own issue, but the idea is that eXist allows guest users to trigger HTTP requests for remote files (RFI), and the configuration option envisioned here would add a condition to all functions like doc(), limiting the ability to perform HTTP requests. Perhaps the time is right for me to open an issue for further discussion of this?
Update: Issue added: https://github.com/eXist-db/exist/issues/3927.
line-o
commented
3 years ago @joewiz re: crypto lib checkbox in Finally is good.
line-o
commented
3 years ago @joewiz regarding the introduction of new configuration option to address RFI for guest users: That deserves its separate issue, yes.
line-o
commented
3 years ago CVE-2019-17570 addresses malicious XML-RPC servers. In our scenario this is existdb itself which we ultimately trust as it is under our control, correct?
adamretter
commented
3 years ago CVE-2019-17570
I fixed this on in FusionDB previously. You basically have to host patched versions of the Apache XML-RPC Jars
line-o
commented
3 years ago Is Apache XML-RPC used as a client in exist-db or as a server?
line-o
commented
3 years ago I would like to drop #3738 from the list as it introduces a breaking change (order of application of map:merge).
joewiz
commented
3 years ago Indeed, #3738 is labelled as bound for 6.0.0. Ok to remove it from this list, @adamretter?
joewiz
commented
3 years ago I've split the "Update core apps to use templating v1.0.0 and remove all dependencies on shared-resources" into two separate checklist sets. This way we can track which apps have met each threshold.
adamretter
commented
3 years ago Is Apache XML-RPC used as a client in exist-db or as a server?
Both of course! eXist-db provides an XML-RPC API, and the XML:DB API also is implemented atop XML-RPC. The Java Admin Client is an XML-RPC client as are some of the functions in the XQuery XMLDB Extension module
adamretter
commented
3 years ago Indeed, #3738 is labelled as bound for 6.0.0. Ok to remove it from this list, @adamretter?
@joewiz No, it needs to be split into two parts. The parts for 5.3.0 and the parts for 6.0.0. I will try and do that over the weekend if I can find the time.
joewiz
commented
3 years ago We may want to pause on merging the PRs involving updating the core apps to use the new templating module until https://github.com/eXist-db/exist/issues/3918 is resolved. The lib:parse-params templating function is affected by this issue.
joewiz
commented
3 years ago Thanks to Wolfgang’s release of templating v1.0.2, which sidesteps the performance issue in https://github.com/eXist-db/exist/issues/3918, the work on migrating core apps to templating and toward removing shared-resources from them can continue.
These PRs are ready for review & merge so far:
joewiz
commented
3 years ago FYI, someone checked doc and fundocs as having had their dependencies on shared-resources removed, but this is incorrect. The PRs above only switched to the new templating library; they did not fully remove shared-resources dependencies.
line-o
commented
3 years ago Oh, sorry! That was me.
duncdrum
commented
3 years ago @joewiz Docs have had their non templating dependency on shared resources removed about 2years ago, unless someone added them back in or I missed something
joewiz
commented
3 years ago @duncdrum Yes, you were right! It was still listed as a dependency in pom.xml and xar-assembly.xml and a couple of references lingered, but there were no substantive dependencies, so it was easy to pull those out. Thanks!
joewiz
commented
3 years ago The first app without shared-resources from the list above is now published - markdown v0.7.0 - to GitHub Releases and public-repo.
Status of the other core apps being tracked in this master issue:
joewiz
commented
3 years ago As promised, I added an issue to track the feature to prevent eXist from making external HTTP requests: https://github.com/eXist-db/exist/issues/3927. I've added the link to the master description above too.
line-o
commented
3 years ago @joewiz I'll add https://github.com/eXist-db/monex/pull/155 to monex
line-o
commented
3 years ago next one on the menu is fundocs: any takers? https://github.com/eXist-db/function-documentation/pull/42
line-o
commented
3 years ago New versions of monex and eXide are available in the public repository.
line-o
commented
3 years ago All core apps are now released and available in the public package repository. The PR to update the bundled libraries and apps will be opened tomorrow.
line-o
commented
3 years ago When https://github.com/eXist-db/exist/pull/3939 is applied shared-resources and markdown are no longer bundled with existdb
joewiz
commented
3 years ago I just unchecked "Update exist-db.org with eXist 5.3.0 and updated core apps" as it appears exist-db.org is still running 5.1.1.
joewiz
commented
3 years ago All incomplete tasks have been accounted for in the new master issue. Work on these should continue there. #3968
core* - Apache XML-RPC CVE-2019-17570 / CVE-2016-5002 - https://github.com/eXist-db/exist/issues/3063 https://github.com/eXist-db/exist/pull/3934cannot be merged because it introduces a breaking changefile:sync prune param* - https://github.com/eXist-db/exist/pull/3084still needs XQSuite tests[ ] docs* - https://github.com/eXist-db/documentation/security/dependabot- these are build warnings, not security issues with read-only running appFinally:
Open Issue
Note: Tasks marked with * are drawn from @adamretter's list from Slack.